General Data Protection Regulation: Guidance to Dgroups Foundation from WA-Research

On May 25, 2018, the new European General Data Protection Regulation (GDPR) came into effect. The Dgroups Foundation has received confirmation that WA Research, the company that hosts and develops the dgroups.org website, is fully compliant with the GDPR. Details are included in the guidance note that the Dgroups Board has received by WA Research – see text below or download in PDF.

We’re sure you are aware of the new European data retention regulation, GDPR, which came into effect on May 25, 2018.

Dgroups.org, the web site your organization operates, is already compliant with the GDPR. In principle, no further action is required on your part. However, should you wish to take additional steps, we’ve outlined a couple of possible steps you might take. See further below for details.

As the Dgroups Foundation is an EU legal entity, the EU laws and regulations do apply. As a data controller in the GDPR parlance, one of your obligations is to ensure that parties you engage with and process data on your behalf (processors), i.e WA Research, offer adequate guarantees regarding their actual capability to process personal data in line with the GDPR and protection of the rights of the data subject.

As WA Research SA, the company hosting the Dgroups.org website and services on your behalf, we hereby confirm that WA Research is fully compliant with the GDPR.

Dgroups.org and Data Privacy

As a communication service providing virtual communities for knowledge and information exchange, Dgroups.org is not set up to offer goods or services to data subjects who are in the European Union.

The software platform which Dgroups.org is based on, CommunityCloud, is designed with data privacy in mind. WA Research, the developer of CommunityCloud, will continue to apply all measures at our disposal to protect the individual and organizational rights to data privacy and freedom of expression. Our commitment is reflected in the software we design, and this benefits all users of Dgroups.org as well.

Dgroups.org only processes non-sensitive personally identifiable data: a participant’s email address, and optionally name and a photo. (A user’s profile may contain other information associated with the user, such as job title and employer, but WA Research does not consider this information as personally identifiable data). This data is collected for the purpose of enabling participation in conversations taking place within virtual communities. Establishing the identity of the participants is necessary for informed professional knowledge exchanges.

In GDPR parlance, the legal basis for processing personally identifiable data is legitimate interest. It is the legitimate interest of the Dgroups Foundation and its constituent Partners and individual Dgroup administrators/leaders to convene these virtual communities and knowledge exchanges, and it is the legitimate interest of all site users to join and participate in these communities.

With legitimate interest as your legal basis for processing, GDPR does not require you to ask for user consent to process the data. There is no need to send an email out to all Dgroups users to request consent to participate (indeed this would likely create unnecessary confusion and disruption in your communities).

Possible Action

The significant press coverage of the GDPR may contribute to internet users becoming more conscious of their data privacy rights and thinking more carefully how and where their data is used. Dgroups community leaders and members might express concern over how the Dgroups Foundation uses their personal data.

With that in mind, we recommend the following actions:

Update the terms of use at https://dgroups.org/terms—as WA Research, we’ve already updated the terms for you to be explicit about relevant data protection issues. Please review and freely modify as you see fit.

Educate community leaders — as community leaders have access to members’personal data in member profiles, they could potentially misuse this information. As the Regulation goes into effect, the Dgroups Foundation, and the partner organisations it is composed of, could be explicit that the data cannot be used outside of the stated terms that members consented to.